Locking Down WordPress Admin and Login URLs

For those WordPress admins who are lucky enough to only access via certain defined IP addresses (IPv4 or IPv6) you can lock down access to the wp-admin and wp-login.php URLs in your Apache configuration with just:

<location /wp-admin/>
    Order deny,allow
    Deny from all
    Allow from 127.0.0.0/255.0.0.0 ::1/128 10.1.2.3/32 1234:5678:90ab:cdef::/64
</location>

<files wp-login.php>
    Order deny,allow
    Deny from all
    Allow from 127.0.0.0/255.0.0.0 ::1/128 10.1.2.3/32 1234:5678:90ab:cdef::/64
</files>

Hopefully that helps someone!

3 thoughts on “Locking Down WordPress Admin and Login URLs

  1. There are many more ways of locking this down right? You can just change the URL of the login page.. Or why would you change it anyway if you got a well protected / not easy to crack password?

    • This is a post about locking things down by IP address, so it’s something you could do this as well as renaming it, for defence in depth. As for a good password, well true, but if they are brute forcing passwords it may not matter how good it is…

Comments are closed.